In an effort to assess the effectiveness of self-regulation to
protect personal privacy, the Electronic Privacy Information
Center (EPIC) surveyed the privacy policies of 76 new members of
the Direct Marketing Association (DMA). We chose the DMA because
it has been a leading proponent of self-regulation and because it
has undertaken a number of efforts to encourage privacy protection
through self-regulation. These included a policy announced in
October 1997 that the DMA would require future members to post a
privacy policy and provide an opt-out capability. Of the 76 new
members we examined, only 40 had Web sites and of these, only
eight sites had any form of privacy policy. We examined these
policies and found that only three of the new members have privacy
policies that satisfied the DMA's requirements set out in October
1997. None of the sites examined allowed individuals to gain
access to their own information. We concluded that the DMA's
efforts to promote privacy practices is having little impact on
its new members, even after repeated assurances from the DMA that
this approach is effective.

1. Introduction

Last year, the EPIC undertook the first comprehensive review of
Internet privacy policies. Our "Surfer
Beware" report reviewed 100 of the most frequently visited Web
sites on the Internet.1
We checked whether sites collected personal information, had
established privacy policies, made use of cookies, and allowed
users to visit without disclosing their identities. We found that
few Web sites (only 17 of our sample) had explicit privacy
policies and none of the top 100 Web sites met basic standards for
privacy protection. However, we found that anonymity continues to
play an important role in online privacy, with many sites allowing
users to access Web services without disclosing personal data.
EPIC recommended that sites continue to support anonymity while
developing policies and practices to protect information privacy.

Since the release of "Surfer Beware," other similar studies
have been undertaken and new industry efforts to promote
self-regulation have been pursued.2
Earlier this month, the Federal Trade Commission (FTC) released
its report on online privacy, Privacy
Online: A Report to Congress.3
Surveying over 1,400 Web sites, the Commission reported that
upwards of 85 percent of Web sites collect personal information,
while only 14 percent provide any notice about their information
practices. The Commission concluded that "substantially greater
incentives are needed to spur self-regulation." It will recommend
an appropriate response to protect online consumer privacy later
this summer.

This report examines the online privacy practices of new
members of the Direct Marketing Association (DMA). As the largest
trade association for businesses interested in database marketing,
the DMA has been a staunch supporter of self-regulation. The DMA
has taken a number of steps to promote self-regulation and has
also opposed privacy legislation.

The following sections describe the motivation, methodology and
results of EPIC's report. The report concludes by recommending
legislation through enforceable Fair Information Practice (FIP)
principles.

2. History and Motivation

As the largest trade association for businesses interested in
database marketing, the DMA has been a staunch supporter of
self-regulation. In October 1997, DMA president and CEO H. Robert
Wientzen announced that the DMA would require its members to
provide adequate notice and opt-out capabilities.4
The Privacy
Action section of the DMA Web site encourages members to
prominently display a privacy policy page on their own Web sites
as well as participate in the DMA "Mail Preference Service" and
"Telephone Preference Service." The DMA will also help members
generate customized privacy policy pages which members can easily
download and post on their own sites.5

The DMA has said that it believes that these efforts are
sufficient to preclude the need for privacy
legislation.In response to the
recent FTC privacy report, Patricia Faley, DMA's Vice President of
Consumer Affairs, wrote:

While we've seen progress in posting privacy policies
since the Federal Trade Commission held its hearings on privacy
last June, we clearly still have a way to go. The Direct
Marketing Association will continue its business education
efforts to ensure that all DMA members, and indeed all
marketers, do the right thing and post privacy policies.
Business has been receptive to this message because it makes
good business sense, and our research shows the trendline is
going in the right direction.6

However, the findings of our study indicate that the DMA has
been unable to "ensure that all DMA members... post privacy
policies," and that businesses have not been receptive to its
message.

3. Methodology

While the DMA does not make a list of its members publicly
available, its Web site contains a list of its newest members.7
On June 15, 1998, EPIC reviewed a list of the DMA's new member
companies (those having joined since May 1998). By searching for
each company's Web site using the Alta
Vista search engine, EPIC was able to locate 40 company Web
sites out of the 76 companies which were listed.8

The sites were reviewed to see how they collect personal
information. In this study, collection of information ranged from
having a simple hyperlink to the company's e-mail to more
complicated registration, purchase, and contact forms. A simple
hyperlink to a company's e-mail address was considered to be a
form of collection of personal information since a list of return
e-mail addresses can be collected and aggregated in this fashion.
It is important to note that Web site cookie practices were not
included in this study. Rather than exploring the question of
whether Web sites surreptitiously collect personal information
through cookies, this report focused on the collection of personal
information which was apparent to the user. While a user may
knowingly release personal information to a Web site, he or she
should still retain certain rights concerning that information,
such as the right to inspect and correct data, to seek redress,
and to receive damages.

Next, the sites were searched for privacy statements, notices,
or policies. First, the home page itself was searched for such a
notice. If no notice was found, customer agreement and similar
pages were also searched. If a site had a search engine, the
keyword "privacy" was entered into the search engine. Because
privacy policies should be prominently displayed and easily found,
such methods were deemed sufficient.

3.1 Adequacy of Privacy Policies

In his announcement at the 80th Annual Conference &
Exhibition in October 1997, DMA president and CEO H. Robert
Wientzen stated that by July 1, 1999:

...all DMA members -- as a condition of membership --
will honor the principles of notice, opt-out, and the use of
suppression and the Mail Preference Service and Telephone
Preference Service.9

While these requirements would probably not satisfy traditional
Fair Information Practices, we decided to use the DMA's own
criteria to determine the adequacy of the policy practices of its
new members.10
That is, a Web site employing only proper notice and opt-out
options was classified as having an adequate privacy policy.
Specifically, if a Web site had some sort of privacy policy or
statement, that notice was examined for three important criteria:

Web site stated why the information was being
collected;

Web site stated how the information would be used; and

Web site provided opt-out options.

If a policy notice failed to meet these three criteria, it was
classified as inadequate.

3.2 Secondary Uses

The privacy policies were examined to determine whether collecting
organizations would use information for secondary uses such as
marketing and/or distribution to third parties.

3.3 Access to Personal Information

Each Web site was examined to determine whether it was possible
for users to access information the site collected about them.
Additionally, privacy policies were examined for the existence of
opt-in or opt-out privacy options.

4. Results

All 40 Web sites examined collected personal information in some
form or another. Seventy-eight percent (31 sites) of the sites
collected personal information through registration, application,
request, feedback, contact, and other similar forms.11
The remaining 22 percent collected personal information only
through hyperlinks to their e-mail addresses.

Only 20 percent (eight sites) of the sites had any semblance of
a privacy notice. Of these eight sites, only four (10 percent of
the total) had specifically "advertised" privacy policy pages or
statements. Three sites had "security and privacy" statements
which focused on the security of transactions rather than the use
of collected information. And the remaining site only had a small
sentence relating to privacy. The specific privacy notices and
other data of these sites are found in Appendix.

EPIC concluded that three of the eight privacy notices
satisfied the DMA's own requirements as defined in Section
3.1. While three of the privacy notices explicitly restricted
the collection of personal information to the primary use, two of
the notices stated intentions to use collected personal
information for further marketing and distribution. While none of
the Web sites seemed to allow users to access their own
information, three of the privacy notices also had e-mail opt-out
options if users did not wish to have further contact with the
company. All sites could be accessed knowingly without disclosing
personal information. However, because cookie practices were not
explored, it is unknown whether personal information collected by
tracking click streams was performed at these sites.

5. Conclusions

In our survey we found that only a handful of new DMA members have
privacy policies that satisfy the DMA's own requirements.

We recommend that the DMA establish much clearer privacy
guidelines for new members at the time of entry into the
association, including an acceptable privacy policy that -- at a
minimum -- complies with the DMA's own requirements. Allowing
organizations that lack adequate privacy polices to join the DMA
sends the wrong message about the association's commitment to
privacy.

More generally, we believe that the DMA's inability to make
self-regulation work to protect privacy is a clear indication of
the need for legislation. Absent enforceable safeguards that apply
to all DMA members and provide some assurance of privacy, we can
only say to those who visit Internet sites operated by members of
the Direct Marking Association, "Surfer Beware."

The 1980 OECD Guidelines on the Protection of Privacy and
Transborder Flows of Personal Data describe the basic principles
necessary for the protection of privacy and individual liberties
as:

Collection Limitation Principle

Data Quality Principle

Purpose Specification Principle

Use Limitation Principle

Security Safeguards Principle

Openness Principle

Individual Participation Principle

Accountability Principle

11Five of these sites
employed manual forms that needed to be printed out rather than
digitally submitted.

12Edison Enterprises
does have a notice concerning cookies.

7.
Appendix

This section contains the data compiled on new DMA members since
May 1998 which were found to have Web sites.

7.1 Privacy Policies, Statements, and
Notices

In this section we present the excerpts of privacy policies,
statements, and notices of the eight DMA Web sites found to have
such sections. For each notice, we provide an analysis of its
adequacy.

7.1.1 Privacy Sentences

The following companies offer a simple sentences concerning the
consumer's privacy concerns upon releasing personal information.

Acorn Information Service:

Your responses will remain
anonymous.

7.1.2 Security and Privacy Statements Focused on
Security

The following companies offer detailed security and privacy
statements on their Web sites. However, the information provided
by these pages focus on the security of transmitting information
rather than the use of collected personal information.

Carfax, Inc.:

The information we collect is used
purely to process your orders -- we use the e-mail address
to deliver your report and use the credit card information
only to process the transaction. Carfax will not pass along
your personal information to any other organization for any
purpose.

Dextor Sport Science:

All DSS Store customers will enjoy the
same security and privacy as our customers shopping by
telephone.

Intelitech:

Finally all information that you supply
whether through a secure form or through a standard HTML
form is maintained by Intelitech exclusively for the purpose
of processing your orders and as legally required for tax
obligations. Intelitech does not make any information
available to anyone else, or even use it itself for any
other purposes.

7.1.3 Privacy Policy Pages or Statements

The following companies provide complete policy pages or
statements.

HealthWatcher System:

This site collects no personally
identifying information about you except when you
specifically and knowingly provide it.

HealthWatchers System may use your
personal identifying information for HealthWatchers
promotional and marketing purposes only. We do not rent or
sell our e-mail addresses. You have the ability to stop your
information being used for marketing and promotional
purposes by sending an e-mail request to HealthWatchers
System at privacy@healthwacthers.com.

The HealthWatchers System Web site places
a "cookie" in the browser file of your computer. The
"cookie" itself does not contain any personally identifying
information except your ShopperID number.

Please read more about
"cookies".

Post Communications:

Post Communications' Policy on
PrivacyAt its core definition, Relationship
Marketing is a dialogue built about trust and fair exchange
of value. To practice relationship marketing in the age of
the Internet requires that the foundation include not only
trust and mutual benefit, but privacy and security as well.
In this medium, where data can easily flow from one database
to another, this is even more critical. Post believes that
every company has an obligation to honor and respect the
privacy of its customers. The Post Online Relationship
Marketing Solution is specifically designed with built-in
best practices of privacy and security. To that end, Post
has developed the following privacy best practices:

Access to privacy policy
For every client program implemented, Post will ensure
that there is an easy to find, easy to read, easy to
understand privacy policy.

Value for Value
Post will maintain a sharp focus on ensuring that when a
customer provides information , he or she will receive a
valuable and relevant communication in return.

Customer Control
On every client program, Post will include a provision
for each and every customer to voluntarily choose what
information to provide, whether or not to participate in
the program and the ability to subscribe or unsubscribe
at any time.

Disclosure
Post will ensure that client programs have built-in
mechanism to disclose data sharing practices and an easy
method for customers to specify whether or not personal
information can be shared.

EPIC NOTE: While this privacy policy
seems adequate for "client programs" the policy does not
adequately address information collection practices at the
Web site itself.

ProMark One:

Privacy Policy Statement
For each visitor to our Web page, our server does not
automatically recognize any information regarding the domain
or e-mail address. We collect the e-mail address of those
who communicate with us via e-mail and information
volunteered by the consumer. This information is used by us
to contact consumers for marketing purposes. If you supply
us with your postal address or phone number on-line, you may
receive marketing-related mailings or telephone contact. If
you do not want to receive e-mail, mailings, or telephone
calls from us in the future, please send an e-mail to us by
pressing the envelope icon above and let us
know.

The Parable Group, Inc.:

For each visitor to our Web page, our
Web server automatically recognizes the consumers
domain name and e-mail address (where possible). We collect
the domain name and e-mail address (where possible) of
visitors to our Web page, the e-mail addresses of those who
communicate with us via e-mail and information volunteered
by the consumer, such as survey information and/or site
registrations.

The information we collect is used to
improve the content of our Web page, used to notify
consumers about updates to our Web site and used by us to
contact consumers for marketing purposes.

If you do not want to receive e-mail from
us in the future, please let us know by sending e-mail to us
at the above address and telling us that you do not want to
receive e-mail from our company.

If you supply us with your postal address
on-line you may receive periodic mailings from us with
information on new products and services or upcoming events.
If you do not wish to receive such mailings, please let us
know by sending e-mail to us at the above address. Also you
may receive mailings from other reputable companies. You
can, however, have your name put on our do-not-share list by
sending e-mail to us at the above address. Please provide us
with your exact name and address. We will be sure your name
is removed from the list we share with other
organizations.

Persons who supply us with their
telephone numbers on-line may receive telephone contact from
us with information regarding orders they have placed
on-line. Please provide us with your correct phone number.
We will be sure your name is removed from the list we share
with other organizations.

7.2 Company Data

This section presents the data collected on Web sites of DMA
members. If the "Collection of PII (Personally Identifiable
Information)" of a site is something other than "hyperlink
e-mail," this merely indicates that the sites uses at least some
other means to collect additional information. That is, an entry
in this column does not mean that the site only collects PII for
such purposes. It may be possible that such sites collect PII for
additional purposes as well. The adequacy of privacy practices are
determined using the policy excerpts in Section
7.1 and the criteria of Section 3.1.